mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-04 12:18:16 +00:00
579 lines
24 KiB
Go
579 lines
24 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package validation
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
apiequality "k8s.io/apimachinery/pkg/api/equality"
|
|
apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
|
|
metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
api "k8s.io/kubernetes/pkg/apis/core"
|
|
"k8s.io/kubernetes/pkg/apis/core/helper"
|
|
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
|
|
"k8s.io/kubernetes/pkg/apis/storage"
|
|
"k8s.io/kubernetes/pkg/features"
|
|
)
|
|
|
|
const (
|
|
maxProvisionerParameterSize = 256 * (1 << 10) // 256 kB
|
|
maxProvisionerParameterLen = 512
|
|
|
|
maxAttachedVolumeMetadataSize = 256 * (1 << 10) // 256 kB
|
|
maxVolumeErrorMessageSize = 1024
|
|
|
|
csiNodeIDMaxLength = 192
|
|
csiNodeIDLongerMaxLength = 256
|
|
)
|
|
|
|
// CSINodeValidationOptions contains the validation options for validating CSINode
|
|
type CSINodeValidationOptions struct {
|
|
AllowLongNodeID bool
|
|
}
|
|
|
|
// ValidateStorageClass validates a StorageClass.
|
|
func ValidateStorageClass(storageClass *storage.StorageClass) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMeta(&storageClass.ObjectMeta, false, apivalidation.ValidateClassName, field.NewPath("metadata"))
|
|
allErrs = append(allErrs, validateProvisioner(storageClass.Provisioner, field.NewPath("provisioner"))...)
|
|
allErrs = append(allErrs, validateParameters(storageClass.Parameters, field.NewPath("parameters"))...)
|
|
allErrs = append(allErrs, validateReclaimPolicy(storageClass.ReclaimPolicy, field.NewPath("reclaimPolicy"))...)
|
|
allErrs = append(allErrs, validateVolumeBindingMode(storageClass.VolumeBindingMode, field.NewPath("volumeBindingMode"))...)
|
|
allErrs = append(allErrs, validateAllowedTopologies(storageClass.AllowedTopologies, field.NewPath("allowedTopologies"))...)
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateStorageClassUpdate tests if an update to StorageClass is valid.
|
|
func ValidateStorageClassUpdate(storageClass, oldStorageClass *storage.StorageClass) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMetaUpdate(&storageClass.ObjectMeta, &oldStorageClass.ObjectMeta, field.NewPath("metadata"))
|
|
if !reflect.DeepEqual(oldStorageClass.Parameters, storageClass.Parameters) {
|
|
allErrs = append(allErrs, field.Forbidden(field.NewPath("parameters"), "updates to parameters are forbidden."))
|
|
}
|
|
|
|
if storageClass.Provisioner != oldStorageClass.Provisioner {
|
|
allErrs = append(allErrs, field.Forbidden(field.NewPath("provisioner"), "updates to provisioner are forbidden."))
|
|
}
|
|
|
|
if *storageClass.ReclaimPolicy != *oldStorageClass.ReclaimPolicy {
|
|
allErrs = append(allErrs, field.Forbidden(field.NewPath("reclaimPolicy"), "updates to reclaimPolicy are forbidden."))
|
|
}
|
|
|
|
allErrs = append(allErrs, apivalidation.ValidateImmutableField(storageClass.VolumeBindingMode, oldStorageClass.VolumeBindingMode, field.NewPath("volumeBindingMode"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// validateProvisioner tests if provisioner is a valid qualified name.
|
|
func validateProvisioner(provisioner string, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if len(provisioner) == 0 {
|
|
allErrs = append(allErrs, field.Required(fldPath, provisioner))
|
|
}
|
|
if len(provisioner) > 0 {
|
|
allErrs = append(allErrs, apivalidation.ValidateQualifiedName(strings.ToLower(provisioner), fldPath)...)
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// validateParameters tests that keys are qualified names and that provisionerParameter are < 256kB.
|
|
func validateParameters(params map[string]string, fldPath *field.Path) field.ErrorList {
|
|
var totalSize int64
|
|
allErrs := field.ErrorList{}
|
|
|
|
if len(params) > maxProvisionerParameterLen {
|
|
allErrs = append(allErrs, field.TooLong(fldPath, "Provisioner Parameters exceeded max allowed", maxProvisionerParameterLen))
|
|
return allErrs
|
|
}
|
|
|
|
for k, v := range params {
|
|
if len(k) < 1 {
|
|
allErrs = append(allErrs, field.Invalid(fldPath, k, "field can not be empty."))
|
|
}
|
|
totalSize += (int64)(len(k)) + (int64)(len(v))
|
|
}
|
|
|
|
if totalSize > maxProvisionerParameterSize {
|
|
allErrs = append(allErrs, field.TooLong(fldPath, "", maxProvisionerParameterSize))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
var supportedReclaimPolicy = sets.NewString(string(api.PersistentVolumeReclaimDelete), string(api.PersistentVolumeReclaimRetain))
|
|
|
|
// validateReclaimPolicy tests that the reclaim policy is one of the supported. It is up to the volume plugin to reject
|
|
// provisioning for storage classes with impossible reclaim policies, e.g. EBS is not Recyclable
|
|
func validateReclaimPolicy(reclaimPolicy *api.PersistentVolumeReclaimPolicy, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if len(string(*reclaimPolicy)) > 0 {
|
|
if !supportedReclaimPolicy.Has(string(*reclaimPolicy)) {
|
|
allErrs = append(allErrs, field.NotSupported(fldPath, reclaimPolicy, supportedReclaimPolicy.List()))
|
|
}
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateVolumeAttachment validates a VolumeAttachment. This function is common for v1 and v1beta1 objects,
|
|
func ValidateVolumeAttachment(volumeAttachment *storage.VolumeAttachment) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMeta(&volumeAttachment.ObjectMeta, false, apivalidation.ValidateClassName, field.NewPath("metadata"))
|
|
allErrs = append(allErrs, validateVolumeAttachmentSpec(&volumeAttachment.Spec, field.NewPath("spec"))...)
|
|
allErrs = append(allErrs, validateVolumeAttachmentStatus(&volumeAttachment.Status, field.NewPath("status"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateVolumeAttachmentV1 validates a v1/VolumeAttachment. It contains only extra checks missing in
|
|
// ValidateVolumeAttachment.
|
|
func ValidateVolumeAttachmentV1(volumeAttachment *storage.VolumeAttachment) field.ErrorList {
|
|
allErrs := apivalidation.ValidateCSIDriverName(volumeAttachment.Spec.Attacher, field.NewPath("spec.attacher"))
|
|
|
|
if volumeAttachment.Spec.Source.PersistentVolumeName != nil {
|
|
pvName := *volumeAttachment.Spec.Source.PersistentVolumeName
|
|
for _, msg := range apivalidation.ValidatePersistentVolumeName(pvName, false) {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("spec.source.persistentVolumeName"), pvName, msg))
|
|
}
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateVolumeAttachmentSpec tests that the specified VolumeAttachmentSpec
|
|
// has valid data.
|
|
func validateVolumeAttachmentSpec(
|
|
spec *storage.VolumeAttachmentSpec, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
allErrs = append(allErrs, validateAttacher(spec.Attacher, fldPath.Child("attacher"))...)
|
|
allErrs = append(allErrs, validateVolumeAttachmentSource(&spec.Source, fldPath.Child("source"))...)
|
|
allErrs = append(allErrs, validateNodeName(spec.NodeName, fldPath.Child("nodeName"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// validateAttacher tests if attacher is a valid qualified name.
|
|
func validateAttacher(attacher string, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if len(attacher) == 0 {
|
|
allErrs = append(allErrs, field.Required(fldPath, attacher))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// validateSource tests if the source is valid for VolumeAttachment.
|
|
func validateVolumeAttachmentSource(source *storage.VolumeAttachmentSource, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
switch {
|
|
case source.InlineVolumeSpec == nil && source.PersistentVolumeName == nil:
|
|
allErrs = append(allErrs, field.Required(fldPath, "must specify exactly one of inlineVolumeSpec and persistentVolumeName"))
|
|
case source.InlineVolumeSpec != nil && source.PersistentVolumeName != nil:
|
|
allErrs = append(allErrs, field.Forbidden(fldPath, "must specify exactly one of inlineVolumeSpec and persistentVolumeName"))
|
|
case source.PersistentVolumeName != nil:
|
|
if len(*source.PersistentVolumeName) == 0 {
|
|
// Invalid err
|
|
allErrs = append(allErrs, field.Required(fldPath.Child("persistentVolumeName"), "must specify non empty persistentVolumeName"))
|
|
}
|
|
case source.InlineVolumeSpec != nil:
|
|
opts := apivalidation.PersistentVolumeSpecValidationOptions{}
|
|
allErrs = append(allErrs, apivalidation.ValidatePersistentVolumeSpec(source.InlineVolumeSpec, "", true, fldPath.Child("inlineVolumeSpec"), opts)...)
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// validateNodeName tests if the nodeName is valid for VolumeAttachment.
|
|
func validateNodeName(nodeName string, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
for _, msg := range apivalidation.ValidateNodeName(nodeName, false /* prefix */) {
|
|
allErrs = append(allErrs, field.Invalid(fldPath, nodeName, msg))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// validaVolumeAttachmentStatus tests if volumeAttachmentStatus is valid.
|
|
func validateVolumeAttachmentStatus(status *storage.VolumeAttachmentStatus, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
allErrs = append(allErrs, validateAttachmentMetadata(status.AttachmentMetadata, fldPath.Child("attachmentMetadata"))...)
|
|
allErrs = append(allErrs, validateVolumeError(status.AttachError, fldPath.Child("attachError"))...)
|
|
allErrs = append(allErrs, validateVolumeError(status.DetachError, fldPath.Child("detachError"))...)
|
|
return allErrs
|
|
}
|
|
|
|
func validateAttachmentMetadata(metadata map[string]string, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
var size int64
|
|
for k, v := range metadata {
|
|
size += (int64)(len(k)) + (int64)(len(v))
|
|
}
|
|
if size > maxAttachedVolumeMetadataSize {
|
|
allErrs = append(allErrs, field.TooLong(fldPath, metadata, maxAttachedVolumeMetadataSize))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
func validateVolumeError(e *storage.VolumeError, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
if e == nil {
|
|
return allErrs
|
|
}
|
|
if len(e.Message) > maxVolumeErrorMessageSize {
|
|
allErrs = append(allErrs, field.TooLong(fldPath.Child("message"), e.Message, maxAttachedVolumeMetadataSize))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateVolumeAttachmentUpdate validates a VolumeAttachment.
|
|
func ValidateVolumeAttachmentUpdate(new, old *storage.VolumeAttachment) field.ErrorList {
|
|
allErrs := ValidateVolumeAttachment(new)
|
|
|
|
// Spec is read-only
|
|
// If this ever relaxes in the future, make sure to increment the Generation number in PrepareForUpdate
|
|
if !apiequality.Semantic.DeepEqual(old.Spec, new.Spec) {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("spec"), new.Spec, "field is immutable"))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
var supportedVolumeBindingModes = sets.NewString(string(storage.VolumeBindingImmediate), string(storage.VolumeBindingWaitForFirstConsumer))
|
|
|
|
// validateVolumeBindingMode tests that VolumeBindingMode specifies valid values.
|
|
func validateVolumeBindingMode(mode *storage.VolumeBindingMode, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if mode == nil {
|
|
allErrs = append(allErrs, field.Required(fldPath, ""))
|
|
} else if !supportedVolumeBindingModes.Has(string(*mode)) {
|
|
allErrs = append(allErrs, field.NotSupported(fldPath, mode, supportedVolumeBindingModes.List()))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateAllowedTopology tests that AllowedTopologies specifies valid values.
|
|
func validateAllowedTopologies(topologies []api.TopologySelectorTerm, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
if len(topologies) == 0 {
|
|
return allErrs
|
|
}
|
|
|
|
rawTopologies := make([]map[string]sets.String, len(topologies))
|
|
for i, term := range topologies {
|
|
idxPath := fldPath.Index(i)
|
|
exprMap, termErrs := apivalidation.ValidateTopologySelectorTerm(term, fldPath.Index(i))
|
|
allErrs = append(allErrs, termErrs...)
|
|
|
|
// TODO (verult) consider improving runtime
|
|
for _, t := range rawTopologies {
|
|
if helper.Semantic.DeepEqual(exprMap, t) {
|
|
allErrs = append(allErrs, field.Duplicate(idxPath.Child("matchLabelExpressions"), ""))
|
|
}
|
|
}
|
|
|
|
rawTopologies = append(rawTopologies, exprMap)
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSINode validates a CSINode.
|
|
func ValidateCSINode(csiNode *storage.CSINode, validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMeta(&csiNode.ObjectMeta, false, apivalidation.ValidateNodeName, field.NewPath("metadata"))
|
|
allErrs = append(allErrs, validateCSINodeSpec(&csiNode.Spec, field.NewPath("spec"), validationOpts)...)
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSINodeUpdate validates a CSINode.
|
|
func ValidateCSINodeUpdate(new, old *storage.CSINode, validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := ValidateCSINode(new, validationOpts)
|
|
|
|
// Validate modifying fields inside an existing CSINodeDriver entry is not allowed
|
|
for _, oldDriver := range old.Spec.Drivers {
|
|
for _, newDriver := range new.Spec.Drivers {
|
|
if oldDriver.Name == newDriver.Name {
|
|
if !apiequality.Semantic.DeepEqual(oldDriver, newDriver) {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("CSINodeDriver"), newDriver, "field is immutable"))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSINodeSpec tests that the specified CSINodeSpec has valid data.
|
|
func validateCSINodeSpec(
|
|
spec *storage.CSINodeSpec, fldPath *field.Path, validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
allErrs = append(allErrs, validateCSINodeDrivers(spec.Drivers, fldPath.Child("drivers"), validationOpts)...)
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSINodeDrivers tests that the specified CSINodeDrivers have valid data.
|
|
func validateCSINodeDrivers(drivers []storage.CSINodeDriver, fldPath *field.Path, validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
driverNamesInSpecs := sets.New[string]()
|
|
for i, driver := range drivers {
|
|
idxPath := fldPath.Index(i)
|
|
allErrs = append(allErrs, validateCSINodeDriver(driver, driverNamesInSpecs, idxPath, validationOpts)...)
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateCSINodeDriverNodeID tests if Name in CSINodeDriver is a valid node id.
|
|
func validateCSINodeDriverNodeID(nodeID string, fldPath *field.Path, validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
// nodeID is always required
|
|
if len(nodeID) == 0 {
|
|
allErrs = append(allErrs, field.Required(fldPath, nodeID))
|
|
}
|
|
maxLength := csiNodeIDMaxLength
|
|
if validationOpts.AllowLongNodeID {
|
|
maxLength = csiNodeIDLongerMaxLength
|
|
}
|
|
if len(nodeID) > maxLength {
|
|
allErrs = append(allErrs, field.Invalid(fldPath, nodeID, fmt.Sprintf("must be %d characters or less", maxLength)))
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// validateCSINodeDriverAllocatable tests if Allocatable in CSINodeDriver has valid volume limits.
|
|
func validateCSINodeDriverAllocatable(a *storage.VolumeNodeResources, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
if a == nil || a.Count == nil {
|
|
return allErrs
|
|
}
|
|
|
|
allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(*a.Count), fldPath.Child("count"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// validateCSINodeDriver tests if CSINodeDriver has valid entries
|
|
func validateCSINodeDriver(driver storage.CSINodeDriver, driverNamesInSpecs sets.Set[string], fldPath *field.Path,
|
|
validationOpts CSINodeValidationOptions) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
|
|
allErrs = append(allErrs, apivalidation.ValidateCSIDriverName(driver.Name, fldPath.Child("name"))...)
|
|
allErrs = append(allErrs, validateCSINodeDriverNodeID(driver.NodeID, fldPath.Child("nodeID"), validationOpts)...)
|
|
allErrs = append(allErrs, validateCSINodeDriverAllocatable(driver.Allocatable, fldPath.Child("allocatable"))...)
|
|
|
|
// check for duplicate entries for the same driver in specs
|
|
if driverNamesInSpecs.Has(driver.Name) {
|
|
allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), driver.Name))
|
|
}
|
|
driverNamesInSpecs.Insert(driver.Name)
|
|
topoKeys := sets.New[string]()
|
|
for _, key := range driver.TopologyKeys {
|
|
if len(key) == 0 {
|
|
allErrs = append(allErrs, field.Required(fldPath, key))
|
|
}
|
|
|
|
if topoKeys.Has(key) {
|
|
allErrs = append(allErrs, field.Duplicate(fldPath, key))
|
|
}
|
|
topoKeys.Insert(key)
|
|
|
|
allErrs = append(allErrs, apivalidation.ValidateQualifiedName(key, fldPath)...)
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSIDriverName checks that a name is appropriate for a
|
|
// CSIDriver object.
|
|
var ValidateCSIDriverName = apimachineryvalidation.NameIsDNSSubdomain
|
|
|
|
// ValidateCSIDriver validates a CSIDriver.
|
|
func ValidateCSIDriver(csiDriver *storage.CSIDriver) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMeta(&csiDriver.ObjectMeta, false, ValidateCSIDriverName, field.NewPath("metadata"))
|
|
|
|
allErrs = append(allErrs, validateCSIDriverSpec(&csiDriver.Spec, field.NewPath("spec"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSIDriverUpdate validates a CSIDriver.
|
|
func ValidateCSIDriverUpdate(new, old *storage.CSIDriver) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))
|
|
allErrs = append(allErrs, validateCSIDriverSpec(&new.Spec, field.NewPath("spec"))...)
|
|
|
|
// immutable fields should not be mutated.
|
|
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.AttachRequired, old.Spec.AttachRequired, field.NewPath("spec", "attachedRequired"))...)
|
|
allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(new.Spec.VolumeLifecycleModes, old.Spec.VolumeLifecycleModes, field.NewPath("spec", "volumeLifecycleModes"))...)
|
|
|
|
allErrs = append(allErrs, validateTokenRequests(new.Spec.TokenRequests, field.NewPath("spec", "tokenRequests"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSIDriverSpec tests that the specified CSIDriverSpec
|
|
// has valid data.
|
|
func validateCSIDriverSpec(
|
|
spec *storage.CSIDriverSpec, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
allErrs = append(allErrs, validateAttachRequired(spec.AttachRequired, fldPath.Child("attachedRequired"))...)
|
|
allErrs = append(allErrs, validatePodInfoOnMount(spec.PodInfoOnMount, fldPath.Child("podInfoOnMount"))...)
|
|
allErrs = append(allErrs, validateStorageCapacity(spec.StorageCapacity, fldPath.Child("storageCapacity"))...)
|
|
allErrs = append(allErrs, validateFSGroupPolicy(spec.FSGroupPolicy, fldPath.Child("fsGroupPolicy"))...)
|
|
allErrs = append(allErrs, validateTokenRequests(spec.TokenRequests, fldPath.Child("tokenRequests"))...)
|
|
allErrs = append(allErrs, validateVolumeLifecycleModes(spec.VolumeLifecycleModes, fldPath.Child("volumeLifecycleModes"))...)
|
|
allErrs = append(allErrs, validateSELinuxMount(spec.SELinuxMount, fldPath.Child("seLinuxMount"))...)
|
|
return allErrs
|
|
}
|
|
|
|
// validateAttachRequired tests if attachRequired is set for CSIDriver.
|
|
func validateAttachRequired(attachRequired *bool, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if attachRequired == nil {
|
|
allErrs = append(allErrs, field.Required(fldPath, ""))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validatePodInfoOnMount tests if podInfoOnMount is set for CSIDriver.
|
|
func validatePodInfoOnMount(podInfoOnMount *bool, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if podInfoOnMount == nil {
|
|
allErrs = append(allErrs, field.Required(fldPath, ""))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateStorageCapacity tests if storageCapacity is set for CSIDriver.
|
|
func validateStorageCapacity(storageCapacity *bool, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if storageCapacity == nil {
|
|
allErrs = append(allErrs, field.Required(fldPath, ""))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
var supportedFSGroupPolicy = sets.NewString(string(storage.ReadWriteOnceWithFSTypeFSGroupPolicy), string(storage.FileFSGroupPolicy), string(storage.NoneFSGroupPolicy))
|
|
|
|
// validateFSGroupPolicy tests if FSGroupPolicy contains an appropriate value.
|
|
func validateFSGroupPolicy(fsGroupPolicy *storage.FSGroupPolicy, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if fsGroupPolicy == nil {
|
|
// This is not a required field, so if nothing is provided simply return
|
|
return allErrs
|
|
}
|
|
|
|
if !supportedFSGroupPolicy.Has(string(*fsGroupPolicy)) {
|
|
allErrs = append(allErrs, field.NotSupported(fldPath, fsGroupPolicy, supportedFSGroupPolicy.List()))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateTokenRequests tests if the Audience in each TokenRequest are different.
|
|
// Besides, at most one TokenRequest can ignore Audience.
|
|
func validateTokenRequests(tokenRequests []storage.TokenRequest, fldPath *field.Path) field.ErrorList {
|
|
const min = 10 * time.Minute
|
|
allErrs := field.ErrorList{}
|
|
audiences := make(map[string]bool)
|
|
for i, tokenRequest := range tokenRequests {
|
|
path := fldPath.Index(i)
|
|
audience := tokenRequest.Audience
|
|
if _, ok := audiences[audience]; ok {
|
|
allErrs = append(allErrs, field.Duplicate(path.Child("audience"), audience))
|
|
continue
|
|
}
|
|
audiences[audience] = true
|
|
|
|
if tokenRequest.ExpirationSeconds == nil {
|
|
continue
|
|
}
|
|
if *tokenRequest.ExpirationSeconds < int64(min.Seconds()) {
|
|
allErrs = append(allErrs, field.Invalid(path.Child("expirationSeconds"), *tokenRequest.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
|
|
}
|
|
if *tokenRequest.ExpirationSeconds > 1<<32 {
|
|
allErrs = append(allErrs, field.Invalid(path.Child("expirationSeconds"), *tokenRequest.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
|
|
}
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateVolumeLifecycleModes tests if mode has one of the allowed values.
|
|
func validateVolumeLifecycleModes(modes []storage.VolumeLifecycleMode, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
for _, mode := range modes {
|
|
switch mode {
|
|
case storage.VolumeLifecyclePersistent, storage.VolumeLifecycleEphemeral:
|
|
default:
|
|
allErrs = append(allErrs, field.NotSupported(fldPath, mode,
|
|
[]string{
|
|
string(storage.VolumeLifecyclePersistent),
|
|
string(storage.VolumeLifecycleEphemeral),
|
|
}))
|
|
}
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// validateSELinuxMount tests if seLinuxMount is set for CSIDriver.
|
|
func validateSELinuxMount(seLinuxMount *bool, fldPath *field.Path) field.ErrorList {
|
|
allErrs := field.ErrorList{}
|
|
if seLinuxMount == nil && utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
|
|
allErrs = append(allErrs, field.Required(fldPath, ""))
|
|
}
|
|
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateStorageCapacityName checks that a name is appropriate for a
|
|
// CSIStorageCapacity object.
|
|
var ValidateStorageCapacityName = apimachineryvalidation.NameIsDNSSubdomain
|
|
|
|
type CSIStorageCapacityValidateOptions struct {
|
|
AllowInvalidLabelValueInSelector bool
|
|
}
|
|
|
|
// ValidateCSIStorageCapacity validates a CSIStorageCapacity.
|
|
func ValidateCSIStorageCapacity(capacity *storage.CSIStorageCapacity, opts CSIStorageCapacityValidateOptions) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMeta(&capacity.ObjectMeta, true, ValidateStorageCapacityName, field.NewPath("metadata"))
|
|
labelSelectorValidationOptions := metav1validation.LabelSelectorValidationOptions{AllowInvalidLabelValueInSelector: opts.AllowInvalidLabelValueInSelector}
|
|
allErrs = append(allErrs, metav1validation.ValidateLabelSelector(capacity.NodeTopology, labelSelectorValidationOptions, field.NewPath("nodeTopology"))...)
|
|
for _, msg := range apivalidation.ValidateClassName(capacity.StorageClassName, false) {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("storageClassName"), capacity.StorageClassName, msg))
|
|
}
|
|
if capacity.Capacity != nil {
|
|
allErrs = append(allErrs, apivalidation.ValidateNonnegativeQuantity(*capacity.Capacity, field.NewPath("capacity"))...)
|
|
}
|
|
return allErrs
|
|
}
|
|
|
|
// ValidateCSIStorageCapacityUpdate tests if an update to CSIStorageCapacity is valid.
|
|
func ValidateCSIStorageCapacityUpdate(capacity, oldCapacity *storage.CSIStorageCapacity) field.ErrorList {
|
|
allErrs := apivalidation.ValidateObjectMetaUpdate(&capacity.ObjectMeta, &oldCapacity.ObjectMeta, field.NewPath("metadata"))
|
|
|
|
// Input fields for CSI GetCapacity are immutable.
|
|
// If this ever relaxes in the future, make sure to increment the Generation number in PrepareForUpdate
|
|
if !apiequality.Semantic.DeepEqual(capacity.NodeTopology, oldCapacity.NodeTopology) {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("nodeTopology"), capacity.NodeTopology, "field is immutable"))
|
|
}
|
|
if capacity.StorageClassName != oldCapacity.StorageClassName {
|
|
allErrs = append(allErrs, field.Invalid(field.NewPath("storageClassName"), capacity.StorageClassName, "field is immutable"))
|
|
}
|
|
|
|
return allErrs
|
|
}
|